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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by 
the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General 
Act of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our 
oversight responsibilities to promote economy, efficiency, and effectiveness within the department. 

The attached report presents the results of the Transportation Security Administration's fiscal year 
2008 Mission Action Plans audit. We contracted with the independent public accounting firm KPMG 
LLP (KPMG) to perform the audit. The contract required that KPMG perform its audit according to 
generally accepted government auditing standards. KPMG is responsible for the attached 
independent auditor's report and the conclusions expressed in it. 

The recommendations herein have been discussed in draft with those responsible for implementation. 
It is our hope that this report will result in more effective, efficient, and economical operations. We 
express our appreciation to all of those who contributed to the preparation of this report. 




Richard L. Skinner 
Inspector General 




KPMG LLP 

2001 M Street, NW 
Washington. DC 20036 



Telephone 2025333000 
Fax 202 533 8500 

Internet www.tis.kpmg.com 



February 22, 2008 

Ms. Anne Richards 

Assistant Inspector General for Audits 

Department of Homeland Security, Office of the Inspector General 

Mr, David Norquist 
Chief Financial Officer 
Department of Homeland Security 

This report presents the results of our work conducted to address the performance audit objectives relative 
to the Department of Homeland Security's (DHS or the Department) Mission Action Plans (MAPs) 
developed to address the internal control deficiencies at the U.S. Transportation Security Administration 
(TSA). These deficiencies were identified by management and/or reported in KPMG LLP (KPMG) 
Independent Auditors' Report included in the Department's fiscal year 2007 Annual Financial Report 
(herein referred to as the "FY 2007 Independent Auditors' Report"). 

This performance audit is the third in a series of four performance audits that the Department's Office of 
Inspector General (OIG) has engaged us to perform related to the Department's fiscal year 2008 MAPs 
that are contained with the Department's Internal Controls Over Financial Reporting Playbook (ICOFR 
Play book). This performance audit was designed to meet the objectives identified in the Objectives, 
Scope, and Methodology section of this report. Our audit procedures were performed using draft MAPs 
provided to us on January 4, 2008. Interviews with TSA management and other testwork, was performed 
at various times through February 21 , 2008, and our results reported herein are as of February 22, 2008. 

We conducted this performance audit in accordance with generally accepted government auditing 
standards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on 
our audit objectives. 

The performance audit did not constitute an audit of financial statements in accordance with GAGAS. 
KPMG was not engaged to, and did not, render an opinion on the Department's or TSA's internal controls 
over financial reporting or over financial management systems (for purposes of Office of Management 
and Budget Circular No. A- 1 27, Financial Management Systems, July 23, 1993, as revised). KPMG 
cautions that projecting the results of our evaluation to future periods is subject to the risks because of 
changes in conditions or because compliance with controls may deteriorate. 
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EXECUTIVE SUMMARY 



The Department of Homeland Security (DHS or the Department) has identified weaknesses in internal 
control over financial reporting through its annual assessment conducted pursuant to Office of 
Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal Control, 
and compliance with the Federal Managers ' Financial Integrity Act (FMFIA). Some of the deficiencies 
are material weaknesses identified by DHS' external financial statement auditor. Beginning in 2006, the 
Department launched a comprehensive corrective action plan to remediate known internal control 
deficiencies. The plan is documented in the Internal Controls Over Financial Reporting Playbook 
(ICOFR Playbook). The Mission Action Plan (MAP) is a key element of the ICOFR Playbook that 
documents the remediation actions planned for each control deficiency at the DHS component level. The 
MAP provides specific actions, timeframes, key milestones, assignment of responsibility, and the timing 
of corrective action validation. 

The U.S. Transportation Security Administration (TSA) developed four MAPs to be included in the 2008 
ICOFR Playbook, The MAPs are intended to address control deficiencies identified in General Ledger 
Management, Property Management, Employee Accrued Leave, and Budgetary Resource Management. 

The objective of this performance audit was to evaluate and report on the status of the four detailed MAPs 
prepared by the TSA to correct internal control deficiencies over financial reporting described above. We 
conducted our audit in accordance with the standards applicable to such audits contained in the 
Government Auditing Standards, issued by the Comptroller General of the United States. Our audit was 
performed using specific criteria to assess the MAP development process used by TSA, and evaluate the 
MAPs submitted by TSA to the DHS Chief Financial Officer to be included in the 2008 ICOFR 
Playbook. 

The evaluation criteria were developed from a variety of sources including technical guidance published 
by OMB, the Government Accountability Office, and applicable laws and regulations.; We also 
considered DHS' policies and guidance and input from the Office of Inspector General when designing 
evaluation criteria. Our evaluation criteria are: 

1. Identification (of the root cause) - Identification of the appropriate underlying root cause that is 
causing the internal control deficiency condition(s). 

2. Development (of the MAP) - Clear action steps that address the root cause, and attainable and 
measurable milestones at an appropriate level of detail. 

3. Accountability (for execution of the MAP) - The individual MAP owner is responsible for its 
successful implementation, ensuring that milestones are achieved and that the validation phase is 
completed. 

4. Verification and validation - The MAP includes written procedures to verify successful 
implementation of the MAP, a means to track progress throughout the MAP lifecycle, and 
reporting results when complete. 

We noted that the TSA has prepared MAPs that address its known control deficiencies described above. 
I SA's FY 2008 MAPs were submitted timely to the Department's Chief Financial Officer to be included 
the ICOFR Playbook. In addition, TSA has implemented a process to monitor its progress toward 
completion of its milestones this year. 

We also noted some areas where the MAPs could be improved. Specifically, we noted that the MAP 
milestones are not clearly linked to root causes. Critical interdependericies are not identified within each 
MAP and affected milestones, such as those between milestones, accounting processes, and /or with third 
parties (e.g., U.S. Coast Guard information technology (IT) systems). The verification and validation 
(V&V) plans also could be improved by further development. 

We recommended that the TSA revise its MAPs to address these concerns. Specifically, TSA should: 
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• Continue to perform a comprehensive root cause analysis and maintain documentation to support the 
analysis, including a review of financial IT systems, processes, and human resources. 

• Improve the MAPs by clearly linking each deficiency or root cause identified by management (as well 
as those identified by the independent auditor) to milestones. 

• Identify critical interdependences and include milestones recognizing /these dependencies. 

• Include V&V procedures as each critical milestone is completed in order to accurately track the 
progress of each MAP. V&V should be performed by someone other than the process owner and 
should be documented for external audit and OMB Circular A- 123 support. 
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BACKGROUND 



The Department of Homeland Security (DHS or the Department) and the U.S. Transportation Security 
Administration (TSA) recognize that deficiencies in internal control over financial reporting exist. The 
internal control deficiencies are reported by DHS management in its annual Secretary's Assurance 
Statement, issued pursuant to Office of Management and Budget (OMB) Circular No. A- 123, 
Management's Responsibility for Internal Control. The Secretary's Assurance Statement and the findings 
of the external auditor are reported in the Department's fiscal year 20Q7 Annual Financial Report (AFR). 
The conditions causing the control weaknesses are diverse and complex. The evolution of the 
Department's mission, programs, component restructuring, and other infrastructure changes has made 
remediation of these control weaknesses very challenging. To meet this challenge, the Department's 
Secretary, Chief Financial Officer and financial management in the DHS components have adopted a 
comprehensive strategy to implement corrective actions beginning in fiscal year 2007 and continuing in 
FY2008. 

The DHS Office of the Chief Financial Officer (OCFO), Internal Control Program Management Office 
(ICPMO) is primarily responsible for the development and implementation of the Department's strategy 
to implement corrective action plans. The ICPMO has documented its strategy and other related plans to 
remediate identified internal control deficiencies in the Internal Controls Over Financial Reporting 
Playbook (ICOFR Playbook). 

In 2006, the Department issued Management Directive 1030, Corrective Action Plans, and the 
Department enhanced its existing guidance by issuing the Mission Action Plan Guide, Financial 
Management Focus Areas Fiscal Year 2008 (MAP Guide). In accordance with the MAP Guide, the 
Department and its components developed Mission Action Plans (MAP) that describe the corrective 
actions to be implemented. The Department continued to utilize an Electronic Program Management 
Office (ePMO), a Web-based software application, to manage the collection and reporting of MAP 
information. 

The MAP Guide is applicable to all Department components, including TSA, and outlines the policies 
and procedures necessary to develop fiscal year 2008 Department MAPs. All components were required 
to submit MAPs, or MAP updates, for any new or existing internal control deficiencies over financial 
reporting, identified by management or the external auditors, for input into to the fiscal year 2008 ICOFR 
Playbook. 

• 

To comply with Management Directive 1030 and the MAP Guide, TSA's Internal Controls Branch 
prepared four detailed MAPs for fiscal year 2008 to address the internal control deficiencies over 
Financial Reporting, Capital Assets and Supplies, Actuarial and Other Liabilities, and Budgetary 
Accounting that contributed to Departmental material weaknesses in the 2007 Independent Auditors' 
Report. The internal control deficiencies associated with each MAP are summarized below: 

• General Ledger Management - TSA made a number of restatements to its prior year financial 
statements and did not have certain policies and procedures in place all fiscal year. It required 
numerous other on-top adjustments to properly close and report its monthly and annual financial 
results. TSA required significant additional human resources to perform its year-end general 
ledger close, prepare financial statements, and respond to audit inquiries in a timely manner. 

• Property Management - TSA maintains extensive capital assets used at airports to screen 
passengers and their baggage. It did not reconcile its property subsidiary ledger to its general 
ledger consistently and timely throughout FY 2007. TSA had not recorded depreciation on 
certain equipment using a method that is consistent with U.S. generally accepted accounting 
principles. TSA is not recording purchases of property in compliance with the U.S. Standard 
General Ledger, and improperly capitalized certain advance payments as construction in progress. 
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• Employee Accrued Leave - A part of TSA's employee compensation package includes annual 
leave, which accrues at varying rates and is based on years of service, and related benefits. TSA 
has not maintained all of the necessary supporting documentation for accrued annual leave. Also, 
it has not reconciled annual leave balances earned by employees per the payroll provider's output 
records to the data submitted by TSA and with the general ledger on a routine basis. 

• Budgetary Resource Management — TSA has substantial obligations and undelivered orders at 
year end, primarily for contract services and purchases of equipment. TSA does not have a funds 
control process in place to monitor outstanding obligation balances on a periodic basis. It does 
not have sufficient policies and procedures requiring contract officers to monitor and close-out 
contracts. 

OBJECTIVE, SCOPE, AND METHODOLOGY 
Objective 

The objective of this performance audit was to evaluate and report on the status of detailed MAPs 
prepared by the TSA to correct internal control deficiencies over financial reporting. Our evaluation was 
performed using specific criteria, described in the methodology section below, to assess the process used 
to develop and document the TSA fiscal year 2008 MAPs. We did not evaluate the outcome of the MAP 
process or any corrective actions taken by management during our audit, and our findings should not be 
used to project ultimate results from MAP implementation. Recommendations are provided to help 
address findings identified during our performance audit. 

Scope 

The scope of this performance audit includes TSA's FY 2008 MAPs developed to address the Financial 
Reporting, Capital Assets and Supplies, Actuarial and Other Liabilities, and Budgetary Accounting 
internal control deficiencies at TSA as reported in the Secretary's FY 2007 Assurance Statement and in 
the FY 2007 DHS Independent Auditors' Report. The MAPs subjected to our performance audit were 
provided by the OCFO, on behalf of the TSA, on January 4, 2008. The scope of this performance audit 
did not include procedures on any of the MAPs associated with other control deficiencies existing at TSA 
as reported in the FY 2007 Independent Auditors' Report, interviews with TSA management and other 
testwork, was performed at various times through February 21, 2008, and our results reported herein are 
as of February 22, 2008. TSA made certain modifications to, the MAPs after January 4, 2008, some of 
which are reflected in the ICOFR Playbook. We considered those modifications in drafting our report, 
however, due to the timing of our review, we were unable to perform procedures to verify the validity of 
those modifications. 

Methodology 

We conducted this performance audit in accordance with the standards applicable to such audits contained 
in the Government Auditing Standards, issued by the Comptroller General of the United States, Our 
methodology consisted of the following four-phased approach: 

Project Initiation and Planning - We attended meetings with the Department's Office of Inspector 
General (OIG), OCFO, and TSA to review the performance audit objectives and scope, describe our 
approach, communicate data requests, and gain an understanding of the status of TSA's 2008 MAPs. 

Data Gathering - We performed interviews with accounting and finance management and staff at TSA 
and OCFO. Through these interviews, we gained an understanding of the process used to develop the 
MAPs, including key inputs and data used, assumptions made, and reasons for conclusions reached. The 
interviews focused on the analysis performed by the TSA to identify the underlying problems creating the 
internal control weakness (root cause) and planned corrective actions, the critical milestones chosen for 
measurement, and the methods used to monitor and validate progress in meeting the milestones. We 
discussed TSA's resource allocation strategy employed in the development arid eventual implementation 
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of the MAP, including the utilization of contractors to supplement staff as needed and the use of 
specialists, if necessary. We also conducted meetings with the Department's OIG to identify and agree to 
the criteria used to evaluate the status, and assess the process used to develop and document the TSA 
fiscal year 2008 MAPs (as defined below). 

We performed reviews of key documents and supporting information provided to us. Our documentation 
reviews included: 

• The four TSA MAPs (i.e., the MAP Detail and Summary Reports) that were included within our 
scope, and any underlying supporting documentation provided by TSA. . 

• The Notice of Findings and Recommendations (NFRs) issued during the FY 2007 financial 
statement audit by the external auditors that supported the internal control findings reported in the 
FY 2007 Independent Auditors' Report. 

• Information provided by TSA management regarding the allocation of resources related to all 
MAPs, including the utilization of contractors. 

• The Annual Component Head Assurance Statements provided pursuant to the requirements of 
OMB Circular No. A- 123. 

• The ICOFR Playbook, MD 1030, the MAP Guide, and existing internal control monitoring 
guidance (e.g., OMB Circular No. A- 123). 

Analysis Using Established Criteria - Our evaluation criteria were developed from a variety of sources 
including technical guidance published by OMB (e.g., Circular No. A- 123) and the Government 
Accountability Office (e.g., Standards for Internal Control in the Federal Government), and applicable 
Federal laws and regulations (e.g., Federal Managers' Financial Integrity Act of 1982). We also 
considered DHS' policies and guidance, such as the MAP Guide and the ICOFR Playbook, and input 
from the OIG. Our evaluation criteria are': 

1 . Identification (of the root cause) -Identification of the appropriate underlying root cause that is 
causing the internal control deficiency. A comprehensive analysis typically includes a full 
assessment of the business processes, data flows, and information systems that drive the 
transactions/activities associated with the accounting process where the internal control deficiencies 
are believed to exist. A thorough root cause analysis should include: 

a) Research to discover why, when, and how the condition occurred -^what went wrong and why? 

b) Investigation to determine if the problem is procedural or human resources, or both (processes, 
and / or people). 

c) An evaluation to determine if IT system functionality is contributing to the problem, and if IT 
system modifications could be part of the remediation. 

d) An evaluation of internal controls, including the existence of compensating controls that may 
mitigate the deficiency. 

e) An evaluation to determine if third parties (e.g. accounting services provider) are contributing to 
the problem. 

2. Development (of the MAP) — The MAP includes action steps that address the root cause, and 
attainable and measurable milestones at an appropriate level of granularity. Milestones should enable 
independent analysis of a MAP's effectiveness in remediation of root causes and provide MAP users 
with insight on the status of the MAP's implementation. For example, they should enable a user to 
determine if the appropriate level of resources to execute a milestone is available and identify 
potential gaps in milestones (e.g., a contractor may need to be hired before a specific milestone can be 
achieved). 

3. Accountability (for execution of the MAP) - Accountability for the MAP is clearly identified and 
assigned. The individual MAP owner is responsible for its successful implementation, ensuring that 
milestones are achieved, and validation of results. 
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4. Verification and Validation - The MAP includes written procedures that verify successful 
implementation of the MAP, provide a means to track progress throughout the MAP lifecycle, and 
require reporting of results when complete. These activities should include documentation reviews, 
work observations, and performance testing that are maintained for internal OMB Circular No. A- 123 
review and external audit. 

Results — Findings and Recommendations — After conducting our analysis and applying the evaluation 
criteria to the MAPs, we formulated our findings and recommendations. The findings represent areas for 
potential improvement that could negatively affect TSA's remediation of the control deficiencies if the 
MAP is executed as designed. 

FINDINGS AND RECOMMENDATIONS 

Findings 

TSA prepared and submitted MAPs to the OCFO as instructed in the MAP Guide. The MAPs address 
each of the four primary processes where control deficiencies existed at the end of fiscal year 2007. The 
General Ledger, Budgetary Resource and Property Management MAPs were updates to MAPs prepared 
in previous years (dating back to fiscal year 2005). The Employee Accrued Leave MAP was prepared in 
response to a new control weakness identified in fiscal year 2007. TSA's fiscal year 2008 MAPs were 
submitted timely to the Department's Chief Financial Officer. In addition, TSA has implemented a 
monitoring process, including periodic meetings to discuss the status of the MAPs and the related 
milestones. ' 

TSA's documentation of its root cause analysis was limited to the information provided on the MAP. 
Consequently, our review of TSA's work supporting its MAP was limited to reading the MAP, comparing 
the information to the DHS FY 2007 Independent Auditors' Report, and inquiring of various TSA 
personnel and management. We were unable to verify, through the documentation made available to us, 
that the remediation plans address all potential causes of the control deficiencies. However, based on our 
inquiries with TSA personnel, we determined that TSA was knowledgeable of the MAP Guide, 
performed a review to determine the source and cause of control deficiencies, and incorporated the results 
into the individual MAPs in the form of milestones. 

Our findings were: 

• Three of the MAPs, i.e., General Ledger, Property, and Budgetary Resource Management, do not 
adequately define the control deficiencies being corrected and/or the purpose of the MAP. The 
Issue Description section does not clearly define the underlying issues or problems that were 
identified during the root cause analysis, or lead the reader to the corrective actions (e.g., 
milestones). In some cases, known problems do not have corresponding milestones (e.g., a 
milestone to address the lack of documentation supporting employee leave balances). 

• The financial statement assertion sections of the MAPs were not complete at the time of our 
audit, and consequently, the MAP milestones are not linked to the financial statement assertions 
(e.g., completeness, accuracy, and existence) affected by the control weaknesses. However, we 
noted that the financial statement assertion sections were completed in subsequent versions of the 
MAPs provided by TSA to the OCFO on January 18, 2008, which were included in the ICOFR 
Playbook. 

• The milestone steps are not clearly linked to root causes. As a result, we could not determine 
how the milestones related to the issues identified and root causes, or if the milestones listed in 
the TSA MAP sufficiently addressed all root causes and corresponding control deficiencies. 
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• Although not required by the DHS CAP Guide, critical interdependencies are not identified 
within each MAP and affected milestones. We identified three interdependencies that should be 
considered in each MAP: 

- Interdependencies between milestones (e.g., defining new staff responsibilities (#1 . 17.4 - 
4/2008) should follow Human Resource approval (#1.17.2 - 7/2008) in the Budgetary 
Resource MAP); 

- Interdependencies between accounting processes (e.g., general ledger and budgetary 
processes); and 

Interdependencies with third parties (e.g., U.S. Coast Guard (USCG), TSA's accounting 
services provider). 

The MAP does not address the interdependencies with other Departmental control deficiencies, or 
the degree of reliance between MAPs. For example, to successfully implement the General 
Ledger Management MAP, it may be necessary for TSA to meet milestones and correct 
underlying conditions identified in other MAPs related to financial reporting and/or the IT 
processes, or for the USCG to implement corrective actions. Control deficiencies identified at the 
USCG may be particularly relevant since TSA's general ledger is maintained on USCG's IT 
systems. We noted that the Dependencies sections of the MAPs were completed in subsequent 
versions of the MAPs provided by TSA to the OCFO on January 18, 2008. However, milestones 
were not updated to cross-reference corrective actions or milestones with dependencies. Full 
remediation of TSA's control deficiencies may require the correction of other related control 
deficiencies, and/or advances made by other components in correcting their material weaknesses. 

• We noted the following matters related to the verification and validation (V&V) phase outlined in 
the TSA MAPs. The V&V processes: 

- Are not consistently documented across each MAP. While general V&V procedures have 
been developed that apply to all MAPs and three of the MAPs include specific V&V 
procedures, the Employee Accrued Leave MAP does not include specific V&V 
procedures to test whether milestones have been successfully implemented. Instead, it 
includes outcomes that, if achieved, will indicate that corrective actions have been 
implemented; 

- Are deferred until the end of the MAP instead of incrementally throughout the MAP 
process. However, preliminary testing procedures are performed on an ad-hoc basis. For 
those milestones in which preliminary testing procedures are not performed, validation is 
limited to a weekly review of the milestone progress; and 

Recommendations 

We recommend that the TSA perform the following to address our findings. 

1. Continue to perform a comprehensive and thorough root cause analysis and maintain documentation 
to support that an analysis was performed to identify the underlying causes of the control deficiencies, 
including a review of financial IT systems, processes, and human resources. 

2. Improve the MAPs as follows: 

a) Link the milestones to identified root causes and/or financial statement assertions. This will help 
ensure that corrective actions are comprehensive, addressing each of the issues, and that 
completion of the milestones will allow management to make all financial statement assertions; 
and 

b) Identify critical interdependencies and include specific milestones to recognize instances where 
the successful implementation of a MAP depends on corrective actions in other accounting 



processes or by third parties, and cross-reference to the other corrective action(s). 
with planning and help avoid unexpected interruptions to progress. 



This will help 



3. Develop V&V procedures to be performed as each critical milestone becomes complete, and involve 
actual testing of controls/processes, in order to accurately track the progress of each MAP. V&V 
procedures should be performed by someone other than the process owner and should be documented 
for external audit and OMB Circular No. A- 123 support. 

MANAGEMENT RESPONSE TO REPORT 

Management has prepared an official response presented as a separate attachment to this report. In 
summary, management agreed with our findings and its comments were responsive to our 
recommendations. We did not audit management's response and, accordingly, we express no opinion on 
it. 
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KEY DOCUMENTS AND DEFINITIONS 



This section provides key definitions and documents for the purposes of this report. 

The Federal Managers ' Financial Integrity Act (FMFIA") requires that Executive Branch Federal agencies 
establish and maintain an effective internal control environment according to the standards prescribed by 
the Comptroller General and specified in the Government Accountability Office's (GAO) Standards for 
Internal Control in the Federal Government. In addition, it requires that the heads of agencies to 
annually evaluate and report on the effectiveness of the internal control and financial management 
systems. 

GAO's Standards for Internal Control in the Federal Government (Standards) defines internal control as 
an integral component of an organization's management that provides reasonable assurance of: 
effectiveness and efficiency of operations, reliability of financial reporting, and compliance with 
applicable laws and regulations. 

The Department of Homeland Security Financial Accountability Act (the DHS FAA) designates the 
Department's Chief Financial Officer (CFO), under the authority of the Secretary, as the party responsible 
for the design and implementation of Department- wide internal controls. Furthermore, the DHS FAA 
requires that a management's assertion and an audit opinion of the internal controls over financial 
reporting be included in the Department's annual Performance and Accountability Report. 

Office of Management and Budget (OMB) Circular No. A-123. Management's Responsibility for 
Internal Control, provides guidance on internal controls and requires agencies and Federal managers to 
1) develop and implement management controls; 2) assess the adequacy of management controls; 3) 
identify needed improvements; 4) take corresponding corrective action; and 5) report annually on 
management controls. The successful implementation of these requirements facilitates compliance with 
both FMFIA and the DHS FAA. 

Office of Management and Budget COMB) Circular No. A-127. Financial Management Systems, 
prescribes policies and standards for executive departments and agencies to follow in developing, 
operating, evaluating, and reporting on financial management systems. The successful implementation 
of these requirements facilitates compliance with both FMFIA and the DHS FAA. 

Internal Control Deficiencies - A control deficiency exists when the design or operation of a control 
does not allow management or employees, in the normal course of performing their assigned functions, 
to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or 
combination of control deficiencies, that adversely affects DHS' ability to initiate, authorize, record, 
process, or report financial data reliably in accordance with U.S. generally accepted accounting 
principles such that there is more than a remote likelihood that a misstatement of DHS' financial 
statements that is more than inconsequential will not be prevented or detected by DHS' internal control 
over financial reporting. A material weakness is a significant deficiency, or combination of significant 
deficiencies, that results in more than a remote likelihood that a material misstatement of the financial 
statements will not be prevented or detected by DHS' internal control. 

Management Directive (MP) 1030, Corrective Action Plans, establishes the "Department's vision and 
direction on the roles and responsibilities for developing, maintaining, reporting, and monitoring MAPs 
specific to the DHS Financial Accountability Act, FMFIA, and related OMB guidance." In addition to the 
roles and responsibilities, MD 1030 outlines the policies and procedures related to the MAP process. The 
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organizational structure detailed in MD 1030 encompasses employees at both the component and 
department levels. 

The Internal Controls Over Financial Reporting (ICOFR) Plctvbook (ICOFR Playbook) was developed 
by the OCFO, Internal Control Program Management Office, to assist the Department in meeting the 
financial accountability requirements outlined in the DHS FAA. The ICOFR Playbook outlines the 
Department's "strategy and process to resolve material weaknesses and build management assurances," 
On an annual basis, the ICOFR Playbook is updated by the OCFO to enhance its exiting guidance, as 
necessary, and establish milestones, which will be monitored by the OCFO throughout the year. A 
component of the ICOFR Playbook is MAPs developed by the Department and its components to correct 
internal control deficiencies. 

The Mission Action Plan Guide. Financial Management Focus Areas Fiscal Year 2008 ("MAP Guide) 
outlines the policies and procedures to be used to develop MAPs throughout DHS, pursuant to the roles 
and responsibilities established by the DHS Management Directive (MD) 1030, Corrective Action Plans. 
The MAP Guide applies to all Department Components and Offices (e.g., OFM) where a control 
deficiency has been identified. Note non-conformances related to the Federal Information Security 
Management Act (FISMA), are under the purview of the Department 's Chief Information Security 
Officer's Plan of Action and Milestones (POA&M) Process Guide. 

Electronic Program Management Office (ePMOV is a Web-based software application the OCFO 
deployed to manage the collection and reporting of MAP information. 

Mission Action Plans (MAPs), as defined in the MAP Guide, are documents prepared to facilitate the 
remediation of internal control deficiencies identified by management or by external parties. MAP 
documentation, as described in detail in the MAP Guide, includes a MAP Summary Report and a MAP 
Detailed Report that are required to be submitted to the OCFO through ePMO. Below are brief 
descriptions of the MAP Summary and MAP Detailed Reports, based on the ePMO MAP Reports Quick 
Guide contained in the MAP Guide: 

• The MAP Summary Report contains sections to describe the issue (e.g. internal control deficiency 
conditions), results of the root cause analysis performed, relevant financial statement assertions 
affected by the issue, key strategies and performance measures, resources required, an analysis of 
the risks and impediments as seen by management, verification and validation methods, and the 
critical milestones to be achieved. 

• The MAP Detailed Report provides additional data on the milestones, not only oh those identified 
as critical but also those sub-milestones under a critical milestone. For each milestone (critical or 
sub), the following data is reflected: due date, percentage of completion, status (e.g., Not Started, 
Work in Progress and Completed), and the responsible and assigned parties. 

The Department's Annual Financial Report (DHS AFR) was issued on November 15, 2007 and consists 
of the Secretary's Message, Management's Discussion and Analysis, Financial Statements and Notes, an 
Independent Auditors' Report, Major Management Challenges, and other required information. The AFR 
was prepared pursuant to OMB Circular No. A-136, Financial Reporting Requirements. 
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U.S. Department of Homeland Security 



Office of Finance and Administration 
60! South \2* Street 
Arlington, VA 22202-4204 




Transportation 

Security 

Administration 



WAY 2 3 2008 



Ms. Anne L. Richards 
Assistant Inspector General for Audits 
Department of Homeland Security 
245 Murray Drive SW, Building 410 
Washington, DC 20528 

Dear Ms. Richards: 

This letter responds to KPMG's audit of the Transportation Security Administration (TSA) Fiscal 
Year (FY) 2008 Mission Action Plans (MAPs) as reported in the Draft Report: Independent 
Auditor 's Report on TSA 's FY 2008 Mission Action Plans dated May 6, 2008. The report notes 
TSA's development of four Mission Action Plans (MAPS) to correct internal control deficiencies 
over financial reporting. 

We concur with KPMG's findings and will be incorporating the recommendations noted in the report. 
On behalf of Assistant Secretary Hawley, I would like to express my appreciation for the efforts of 
your staff and the KPMG team in completing this audit. 



Sincerely, 




Assistant Administrator and Chief Financial Officer 
Office of Finance and Administration 
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